From owner-freebsd-hackers@FreeBSD.ORG Thu Nov 27 10:26:35 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5430016A4CE for ; Thu, 27 Nov 2003 10:26:35 -0800 (PST) Received: from malasada.lava.net (malasada.lava.net [64.65.64.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id F153643FE3 for ; Thu, 27 Nov 2003 10:26:32 -0800 (PST) (envelope-from cliftonr@lava.net) Received: by malasada.lava.net (Postfix, from userid 102) id 597D1153985; Thu, 27 Nov 2003 08:26:32 -1000 (HST) Date: Thu, 27 Nov 2003 08:26:32 -1000 From: Clifton Royston To: Terry Lambert Message-ID: <20031127082632.A27927@tikitechnologies.com> Mail-Followup-To: Terry Lambert , freebsd-hackers@freebsd.org References: <20031126200101.8B45116A4D0@hub.freebsd.org> <20031126112014.C8040@tikitechnologies.com> <3FC5A349.3FCA4DE9@mindspring.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3FC5A349.3FCA4DE9@mindspring.com>; from tlambert2@mindspring.com on Wed, Nov 26, 2003 at 11:10:01PM -0800 cc: freebsd-hackers@freebsd.org Subject: Re: getpwnam with md5 encrypted passwds X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Nov 2003 18:26:35 -0000 On Wed, Nov 26, 2003 at 11:10:01PM -0800, Terry Lambert wrote: > Clifton Royston wrote: > > If you will need to do authentication after your program drops > > privileges, your best course is probably to go through PAM, to install > > a separate daemon which implements a PAM-supported protocol and which > > runs with privileges, and then to enable that protocol as a PAM > > authentication method for your application. > > [ ... RADIUS example with LDAP mention ... ] > > Sounds like a good approach, though I'll point out that had > you tried LDP, you would have been hard-put to use LDAP as a > proxy protocol to another authentication base (a PAM backend > for an LDAP server, while not quite impossible, would be very > hard). Glad I went with my gut feeling rather than wasting a lot of time looking into it then... > How did you avoid the recursion problem of the RADIUS server > trying to authenticate via pam_radius to the RADIUS server > tyring to authenticate ... That is avoided two ways, either of which would do to prevent the deadly recursion. First the RADIUS server (FreeRadius) is currently set up to implement "Unix auth" directly against spwd.db, not via PAM. Second, it's not enabled as the default PAM authentication method for all applications, only for some specific application tokens. We have an intention to add to the application auth against some separate non-password db files, followed by OTP support down the road. Hopefully as it uses PAM both should now be relatively easy. -- Clifton -- Clifton Royston -- cliftonr@tikitechnologies.com Tiki Technologies Lead Programmer/Software Architect Did you ever fly a kite in bed? Did you ever walk with ten cats on your head? Did you ever milk this kind of cow? Well we can do it. We know how. If you never did, you should. These things are fun, and fun is good. -- Dr. Seuss